ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
An e-commerce platform regularly experiences volumetric UDP reflection floods that saturate its Internet uplink, causing outages despite secure coding and WAF rules. Which additional control will most effectively improve operational resiliency against this type of Denial-of-Service attack?
Configure per-IP rate limiting in the web server
Enable HTTP Strict Transport Security (HSTS) with a one-year max-age directive
Require CAPTCHA challenges on all authentication and checkout pages
Route inbound traffic through an anycast-based cloud DDoS scrubbing service
Volumetric reflection floods overwhelm network bandwidth before traffic can reach the application or its on-premises defenses. Using an anycast-based cloud scrubbing service distributes the attack across many geographically dispersed edge nodes, absorbs the excess packets, and forwards only clean traffic to the origin, preventing link saturation. CAPTCHAs and server-side rate limiting can reduce application-layer abuse but do nothing when the circuit is already congested. HSTS merely enforces HTTPS and offers no bandwidth protection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an anycast-based cloud DDoS scrubbing service?